3. What is Bug Bounty?
Companies pay money for finding security vulnerabilities in their services/software
• Google Vulnerability Reward Program (VRP)
• Facebook
• Yandex (“Охота за ошибками”)
• …
• https://hackerone.com/
3
4. Why GitHub?
• We use it
• Blackbox -> Whitebox (GitHub Enterprise)
• Fun
• Bounty
4
5. 01
› Available as Virtual Machine image at
https://enterprise.github.com/
› 45 days trial included
GitHub Enterprise
7. VMware ESXi to Virtual Box (RAW)
7
vbox-img convert --srcfilename ghe-disk1.vmdk
--dstfilename ghe-disk1.raw
--srcformat VMDK
--dstformat RAW
Красный цвет
не правильный
20. 20
#
# Seriously, CC @github/appsec and @github/dotcom-security
# if you need to touch this file
#
class ApplicationController
after_filter :set_html_safe
private
# Overrides default CSP with the preview policy if enabled for current_user
#
# Returns nothing.
def set_security_headers
if preview_features?
SecureHeaders.use_secure_headers_override(request, :preview_policy)
end
…
21. Main GitHub application
• 1.5M+ LOC
• Sinatra
• Secure randoms, MsgPack serializer
• Pretty clean code
21
22. Hardcoded credentials
22
auth = "apt:6YLkX******h0zXf"
github_package_host =
if hostname.end_with?(".iad.github.net")
"packages.iad.github.net"
else
"packages-ext.iad.github.net"
end
set_up_source
:id => "github",
:deb => "https://#{auth}@#{github_package_host}/github-precise precise main",
:key => "https://#{auth}@#{github_package_host}/pubkey.gpg?OCC30EA6"
end
Красный цвет
не правильный
23. Hardcoded credentials
23
uri = URI.parse("https://secure.braintreepaymentgateway.com/api/transact.php")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
if Rails.production?
http.ca_file = "/usr/lib/ssl/certs/ca-certificates.crt"
end
params = {
"transactionid" => transaction_id,
"username" => "github",
"password" => "g********6",
…
Красный цвет
не правильный
27. 27
get "/cluster-preflight“ do
role = params[:type]
cluster_roles = %w(git web job mysql elasticsearch redis memcache metrics pages
storage)
if cluster_roles.include?(role)
output = IO.popen(["sudo", "/usr/bin/env", "CLUSTER_ROLE=#{role}",
"/usr/local/share/enterprise/ghe-preflight-check"]) { |io| io.read }
if $?.exitstatus == 0
status 200
else
status 400
output
end
else
…
32. src/util.c
32
assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char)));
strncpy(line, read_buffer, strlen(read_buffer));
// See if we need to finish reading the line
while(line[strlen(line) - 1] != 'n') {
rc = fgets(read_buffer, sizeof(read_buffer), f);
if((rc == NULL) && feof(f)) {
// We got everything that we can get, so we'll
// call it a "line"
break;
}
…
Красный цвет
не правильный
33. src/util.c
33
assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char)));
strncpy(line, read_buffer, strlen(read_buffer));
// See if we need to finish reading the line
while(strlen(line) && line[strlen(line) - 1] != 'n') {
rc = fgets(read_buffer, sizeof(read_buffer), f);
if((rc == NULL) && feof(f)) {
// We got everything that we can get, so we'll
// call it a "line"
break;
}
…
Красный цвет
не правильный
34. Babeld as SVN proxy
34
haproxy babeld
github app
slumlord
POST /auth
GET /repo
40. 40
gdb-peda$ bt
#0 _IO_vfprintf_internal (s=s@entry=0x7fbdfc8224d0,
format=format@entry=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu
client_recv=%lu client_sent=%lu ", ap=ap@entry=0x7fbdfc822638)
at vfprintf.c:1315
#1 0x00007fbdfb6d5409 in _IO_vsnprintf (string=0x7fbdfc8228ef "", maxlen=<optimized
out>,
format=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu
client_sent=%lu ", args=args@entry=0x7fbdfc822638) at vsnprintf.c:119
#2 0x00007fbdfb6b3e22 in __snprintf (s=<optimized out>, maxlen=<optimized out>,
format=<optimized out>) at snprintf.c:33
#3 0x0000000000417314 in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f
fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:83
...
41. 41
...
#250 0x0000000000417b8f in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f
fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ")
at log.c:212
#251 0x000000000041272b in http_generic_client_thread (ctx=0x44bc45,
handler=0x191) at http-server.c:303
#252 0x000000000041886b in http_svn_client_thread (arg=<optimized out>) at http-
server-svn.c:42
#253 0x00007fbdfba160a4 in start_thread (arg=0x7fbdfc8e1700) at pthread_create.c:309
#254 0x00007fbdfb74b5dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111